WannaCry cyber-attack: how will impending new laws affect security obligations and regulatory risk?

Written on 18 May 2017

An unprecedented cyber-attack on 12 May 2017, which affected over 45,000 organisations globally, provides yet another stark example of why all businesses need to implement robust IT infrastructure measures to protect their data and IT infrastructure, and know what to do should the worst happen.

Discussion around cyber security protection often centres on the protection of data, and the changes to the regulation of data protection being introduced by the EU’s General Data Protection Regulation. But the WannaCry attack illustrates that not all cyber security incidents are about data. Where the victims of an incident are providers of essential services – such the NHS in this case – another incoming piece of (typically less talked about) EU legislation will impose obligations, and potentially sanctions: the EU Network and Information Security (NIS) Directive.

The most successful ransomware attack in history

Last Friday’s attack received widespread coverage across the world, and at the time of writing is still on-going. It has been of particular interest in the UK because of the extent to which the NHS, the country’s largest employer and provider of critical healthcare infrastructure, was affected. The compromising of the organisation’s dated Microsoft Windows XP software was so extensive that in many cases staff had no option but to resort to pen and paper. Further afield, it has been reported that companies including Fed Ex, Renault and Spanish telecoms giant Telefonica were also disrupted.

Ransomware – malicious software that encrypts computer files in order to elicit a ransom – is not the preserve of sophisticated criminals, with one security expert commenting that the software in this case could have been “put together in someone’s spare time“. While it may not be overly sophisticated, though, the disabling effect on major organisations can be colossal.

The same is true of many cyber security incidents and the message for organisations is clear: while there is only so much that can be done to avoid being the recipient of targeted attacks by determined groups, even basic ‘hygiene-level’ measures can prevent a significant proportion of potential incidents. Simple things like ensuring that necessary software updates are installed and training staff on good practices can avert a potentially disastrous incident.

The UK Government’s Cyber Security Strategy, announced in 2016, commits £1.9 billion to improving the UK’s defences, but this has to be supported with appropriate technical and organisational measures taken by all public and private entities, particularly where they provide essential services.

The NIS Directive

The EU’s NIS Directive, which must be implemented by all Member States by May 2018, is intended to ensure that there are minimum cyber security standards for operators of essential services across all Member States. Companies within “critical sectors” including banking, health care, energy and transport, as well as certain digital service providers, will be obliged to take appropriate technical and organisational measures to manage cyber security risks and report major cyber security incidents to the relevant national authority. National authorities will share information between themselves and work together to improve cyber security across the EU.

The precise identification of the entities covered by the definitions in the NIS Directive is left to Member States (aside from for digital service providers, which will be common across the EU), so we await guidance from each Member State on exactly which entities will be covered in that Member State and what the minimum/appropriate security measures will be.

Likewise, penalties are not specified in the NIS Directive, with Member States given freedom to set sanctions when they implement the NIS Directive into national law. However, we would expect the level of fines to be set at a substantial level, to reflect the growing significance and recognition globally of cyber security as a top priority. This would also be consistent with the imminent, significant increase in the level of fines that will be capable of being imposed for data security breaches, under the GDPR, which applies to all organisations that handle personal data, and also comes into effect in May 2018.

It has not yet been announced whether a new regulator will be created to enforce the NIS Directive, or whether this will fall to an existing regulator. There has been some suggestion that this role will fall to the Information Commissioner’s Office, which will also be responsible for enforcing the GDPR. Certainly, for organisations to which the NIS Directive applies, there will be some similarities between the sort of organisational and technical measures required by each piece of legislation, and the potential for overlap in the incident reporting and enforcement regimes.

The effect of Brexit

The UK will still be a member of the EU in May 2018, by which time it must take steps to implement the NIS Directive. And with the government’s intention being to retain all EU-derived law (at least initially) post-Brexit, both the NIS Directive and the GDPR will continue to apply. The UK has confirmed in any event that it is committed to the Directive, which will work alongside its own NIS strategy, which offers guidance on how organisations can protect themselves.

However, a key part of the NIS Directive is the requirement for information sharing and co-operation between Member States, both on cyber risks and during specific incidents (like the WannaCry attack). Until the exit negotiations are completed, we do not know to what extent the UK and EU will continue to co-operate and share information post-Brexit.

Companies operating cross-border, particularly digital services providers, will also be concerned that, with the NIS Directive leaving much of the detail to national implementing legislation, they may need to comply with different standards across Europe. While it is hoped that EU Member States will work together to ensure a degree of harmonisation, Brexit may mean that there is more potential for the UK to diverge from the EU in the standards and sanctions that it sets.

Comment

This attack is a timely reminder of the requirement to take appropriate measures to protect systems. With many of the victims being entities that are likely to be covered by the NIS Directive, it is important particularly for operators of ‘essential services’ to urgently re-assess security measures and implement technical and organisational changes where necessary. As most organisations review their systems in advance of the GDPR (click here for more information on how to prepare for the GDPR), compliance with the NIS Directive standards, when released, should be included in this process where relevant.

The WannaCry attack also emphasises the importance of advance planning and stress-testing crisis management plans. Osborne Clarke assists clients across all stages of crisis management, from implementing appropriate measures, to ‘war games’ simulating an attack and advising on the correct response. Cyber incidents can cause significant economic and reputational harm for any business, so it is important that they are adequately addressed.

If you want to find out more about this topic, please get in touch with one of our experts.

When you read about Osborne Clarke on this site, we are either referring to our international organisation, Osborne Clarke Verein (OCV), or one of its member firms. OCV is a Swiss verein and doesn’t provide services to clients. The OCV member firms are all separate legal entities and have no authority to obligate or bind each other or OCV with regard to third parties. To find out more, please click here.